Firewalls Get Failing Marks; Enterprise Security Flunking, Too

Enterprise security professionals live by a simple creed: there's no such thing as absolute protection.

No combination of anti-virus, network admission control (NAC), firewall, intrusion detection system (IDS), intrusion prevention system (IPS), content-filtering gateway, or other security technology is sufficient to vouchsafe complete impregnability. In every case, security pros stress, you must do what you can to contain the damage.

That's one reason why a report published recently by NSS Labs likely didn't come as a surprise to most security pros. According to NSS’ Network Firewall Comparative Group Test Report for the first quarter of 2011, all six of the firewall products it tested revealed shortcomings or limitations of some kind.

NSS was able to crash three out of the six firewall systems it tested -- all of which are certified either according to the Common Criteria for Information Technology Security Evaluation (Common Criteria) and by the International Computer Security Association (ICSA).

On top of this, five out of six firewalls failed a “Sneak ACK attack,” which spoofs a TCP split handshake. In the case of a real Sneak ACK attack, NSS says, an attacker would have been able to successfully traverse the firewall.

CheckPoint's Power-1 was the only one out of the six firewalls tested that was able to successful detect and deflect the Sneak ACK attack.

“IT organizations worldwide have relied on third-party testing and been misled,” said Vik Phatak, CTO of NSS Labs, in a prepared release. “These test results point towards the need for a much higher level of continuous testing of network firewalls to ensure they are delivering appropriate security and reliability.”

For example, say NSS researchers, a proposed testing regimen for measuring UDP processing performance (outlined in RFC-2544) doesn't tell prospective customers anything useful. “This traffic does not attempt to simulate any form of 'real-world' network condition,” the report indicates. “No TCP sessions are created during this test, and there is very little for the detection engine to do in the way of protocol analysis.”

The RFC-2544 testing regimen does test firewall performance in at least one respect. In the test case, a firewall has to verify that all incoming packets actually pass through its detection engine -- as distinct to simply being “fast-tracked from the inbound to the outbound port,” according to NSS Labs. It does this by writing a signature to incoming traffic. This, too, isn't in any sense a compelling real-world use case.

Just as NSS found issues or shortcomings with all major firewall platforms, it likewise flagged a worrisome people/process trend -- namely, neither IT nor the line of business seems to be taking appropriate steps to safeguard against next-generation attacks.

“[G]ranular application control is a requirement of [a next generation firewall, or NGFW] since it enables the administrator to define security policies based upon applications [as distinct from] ports,” the report explains. “[W]hile Application Control has received a lot of attention recently, ... enterprises are reluctant to embrace the technology beyond a limited scope.”

If anything, IT, the line of business, and human resources (HR) are playing a shift-the-blame game. “Our research shows that Enterprise Security wants to ensure that users are not bypassing the corporate firewall by tunneling Skype, peer-to-peer, instant messaging, and IRC applications over HTTP, which they view as a security concern,” according to the report. “However Enterprise Security is reluctant to incur additional responsibilities for policing users behavior.”

For this reason, the security group looks at some non-business activities (such as Facebook-based games) “as something that might legitimately occur during lunch, and therefore corporate ownership should be HR and not Security.” The end result, NSS Labs reports, is buck-passing, and buck-passing doesn't solve anything.

“We were repeatedly told that the enterprise already had a [W]eb proxy/filter which had corporate sponsorship in the HR department and that it was managed by IT, not Security,” says the report. “As such, the 'policing' of users is an HR concern, not a Security concern and belongs within [W]eb filtering solutions, not within the corporate firewall.”